Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

Oracle has today issued an email to customers to inform them that the tool OPatch.pl has an issue with file system privileges on Linux and Unix platforms. This is causing non-dba's to be denied access to the database after application of an interim patch using OPatch. The Oracle email is included in full below:

You are receiving this email because our records indicated you downloaded OPatch 1.0.0.0.54 and 10.2.0.1.1 before OPatch 1.0.0.0.55 and 10.2.0.1.2 were available.

A change of behavior in OPatch versions 1.0.0.0.54 and 10.2.0.1.1 was causing file permissions under Oracle_Home to be changed incorrectly when applying an interim patch. As a result, a non-DBA user would not be able to connect to any database from the patched server. This issue affected Unix and Linux platforms only. The behavior is corrected in OPatch versions 1.0.0.0.55 and 10.2.0.1.2 that are available on MetaLink via Patches 2617419 and 4898608 respectively.

If you have experienced this problem after applying an interim patch using OPatch versions 1.0.0.0.54 or 10.2.0.1.1, reapplying the interim patch using versions 1.0.0.0.55 and 10.2.0.1.2 will correct the problem. If the interim patch that you applied was Critical Patch Update January 2006 and reapplying the patch is not feasible, please be aware that a script is being developed to correct the file permission so re-installation would not be necessary. The availability of this script will be announced shortly in the Oracle Critical Patch Update January 2006 Pre-Installation Note for Oracle Database (Note 343384.1) and the Pre-Installation Notes for other products.

Please accept our apologies for any inconvenience you may have experienced, and we thank you for your patience and cooperation in keeping your Oracle products up-to-date.

Regards,Oracle Global Product Support

P.S. Please do not reply to this email as this email account is not monitored. If you require further assistance, please use MetaLink, https://metalink.oracle.com, to submit a Service Request. "

If you have either of these versions of OPatch then please download the new versions. Also note that if you used these versions to apply the January 2006 CPU then you will either need to fix the permissions yourself (not recommended as its unlikely to be supported) or wait for Oracle to supply a script to fix the issue. I guess this issue could be causing problems for some customers?

PFCLTraining is a set of expert training classes for you, aimed at teaching how to audit your own Oracle database,
design audit trails, secure code in PL/SQL and secure and lock down your Oracle database.

For any more information about our Oracle Security services or or our products to help you secure your Oracle database or our
expert Oracle Security training please call us now on +44 7759 277220 or contact us by email at info@petefinnigan.com